Hi there,
I'm really interested in cleantalk, especially since I saw in the test phase that it works great.

Now I was digging a little deeper, and found out that regarding the german law (… I'm located in Germany) you are not allowed to send user data like the IP adress uncrypted. At least not outside Germany, I guess … (I'm still learning the exact laws.)
Now I saw that one of your servers is actually located in Germany.

Is there maybe the option to make sure that the data is only transferred there? Do you have any information or plans regarding the privacy policys that are in the EU?

I guess this is a really big issue, and I would like to know the exact facts before signing up for the service. (… maybe also some ready-to-copy texts fot the privacy policy that every website must have?)

this post ist more than 2 years old now. I purchased pro allready and use your plugin while developing a big wordpress blog. To push your plugin through IT-Security from customer, we need details about how you process the commenters/visitors data:

- what data exaclty do you collect?
- to which physical location / country the comment / form data will be send to and stored?
- how long the data is stored?

Background: In Germany the storage of user data in foreign countries without anomyzing them is a big issue.

We collect the following information - IP, Email, Nickname sender of the message, information about the technology of JavaScript in the browser sender, comment text message sender. This information Service uses to detect spam activity of the sender and stores on the servers from 7 to 45 days.

- to which physical location / country the comment / form data is send?

We have servers in U.S. and in the Europe. We may transfer information that we collect about you, including personal information, to affiliated entities, or to other third parties (as provided herein) across borders and from your country or jurisdiction to other countries or jurisdictions around the world. If you are located in the European Union or other regions with laws governing data collection and use that may differ from U.S. law, please note that you are transferring information, including personal information, to a country and jurisdiction that does not have the same data protection laws as your jurisdiction, and you consent to the transfer of information to the U.S. and the use and disclosure of information about you, including personal information, as described in Privacy Policy.

You can find privacy policy in the page bellow, please see title "Privacy policy".

Please, do the following to meet GDPR requirements:
Go to your CleanTalk Control Panel [ http://cleantalk.org/my/ ] —> press the line “Settings” under the name of your website —> enable “Don’t save approved requests” —> Save.
That option refers to the records of your Anti-Spam Log.
You can see it here:

As stated in the tooltip, the option will remove emails, nicknames and messages from approved registrations, comments, orders and contact messages.
You still will be able to see date/time and IPs in your Anti-Spam Log.
The data of European users processing on the server located in Europe.
Here is our privacy policy:

I think you will need to provide a specific Data Processor Agreement in your terms and conditions for your paying customers showing how you are meeting the requirements of the GDPR. From May 25th we will be required to use GDPR compliant data processors only. For example (from the UK Information Commissioner's Office) "Controllers are liable for their compliance with the GDPR and must only appoint processors who can provide ‘sufficient guarantees’ that the requirements of the GDPR will be met and the rights of data subjects protected."

GDPR includes IP addresses as identifying personal data, so based on what you've said about the IP address being retained when the email address and other personal data are deleted, this would still be an issue, unless you can provide the guarantees that you meet the requirements of the GDPR.

When you say that the data of European users is processed in Europe, does this happen automatically? Can I check I have understood it correctly - if a comment is made by a data subject in the EU, their data including IP address is never transferred out of the EU?

I hope you will become fully compliant as I value your service and indeed have just renewed for another year, but at the same time we can't afford to risk our own compliance and part of that is the requirement to have a DPA with all our processors.